Example 41 with SQLExpr
use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.
the class WallVisitorUtils method checkSchema.
private static boolean checkSchema(WallVisitor visitor, SQLExpr x) {
final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
return true;
}
if (x instanceof SQLName) {
String owner = ((SQLName) x).getSimpleName();
owner = WallVisitorUtils.form(owner);
if (isInTableSource(x) && !visitor.getProvider().checkDenySchema(owner)) {
if (!isTopStatementWithTableSource(x) && !isFirstSelectTableSource(x) && !isFirstInSubQuery(x)) {
SQLObject parent = x.getParent();
while (parent != null && !(parent instanceof SQLStatement)) {
parent = parent.getParent();
}
boolean sameToTopSelectSchema = false;
if (parent instanceof SQLSelectStatement) {
SQLSelectStatement selectStmt = (SQLSelectStatement) parent;
SQLSelectQuery query = selectStmt.getSelect().getQuery();
if (query instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) query;
SQLTableSource from = queryBlock.getFrom();
while (from instanceof SQLJoinTableSource) {
from = ((SQLJoinTableSource) from).getLeft();
}
if (from instanceof SQLExprTableSource) {
SQLExpr expr = ((SQLExprTableSource) from).getExpr();
if (expr instanceof SQLPropertyExpr) {
SQLExpr schemaExpr = ((SQLPropertyExpr) expr).getOwner();
if (schemaExpr instanceof SQLIdentifierExpr) {
String schema = ((SQLIdentifierExpr) schemaExpr).getName();
schema = form(schema);
if (schema.equalsIgnoreCase(owner)) {
sameToTopSelectSchema = true;
}
}
}
}
}
}
if (!sameToTopSelectSchema) {
addViolation(visitor, ErrorCode.SCHEMA_DENY, "deny schema : " + owner, x);
}
} else {
if (topStatementContext != null) {
topStatementContext.setFromSysSchema(Boolean.TRUE);
clearViolation(visitor);
}
}
return true;
}
if (visitor.getConfig().isDenyObjects(owner)) {
addViolation(visitor, ErrorCode.OBJECT_DENY, "deny object : " + owner, x);
return true;
}
}
// if (ownerExpr instanceof SQLPropertyExpr) {
if (x instanceof SQLPropertyExpr) {
return checkSchema(visitor, ((SQLPropertyExpr) x).getOwner());
}
return true;
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLName(com.alibaba.druid.sql.ast.SQLName)
SQLIdentifierExpr(com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr)
SQLPropertyExpr(com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)
SQLStatement(com.alibaba.druid.sql.ast.SQLStatement)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
Example 42 with SQLExpr
use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.
the class WallVisitorUtils method checkDelete.
public static void checkDelete(WallVisitor visitor, SQLDeleteStatement x) {
checkReadOnly(visitor, x.getTableSource());
WallConfig config = visitor.getConfig();
if (!config.isDeleteAllow()) {
addViolation(visitor, ErrorCode.INSERT_NOT_ALLOW, "delete not allow", x);
return;
}
boolean hasUsing = false;
if (x instanceof MySqlDeleteStatement) {
hasUsing = ((MySqlDeleteStatement) x).getUsing() != null;
}
boolean isJoinTableSource = x.getTableSource() instanceof SQLJoinTableSource;
if (x.getWhere() == null && (!hasUsing) && !isJoinTableSource) {
WallContext context = WallContext.current();
if (context != null) {
context.incrementDeleteNoneConditionWarnings();
}
if (config.isDeleteWhereNoneCheck()) {
addViolation(visitor, ErrorCode.NONE_CONDITION, "delete none condition not allow", x);
return;
}
}
SQLExpr where = x.getWhere();
if (where != null) {
checkCondition(visitor, where);
if (Boolean.TRUE == getConditionValue(visitor, where, config.isDeleteWhereAlwayTrueCheck())) {
if (config.isDeleteWhereAlwayTrueCheck() && visitor.isSqlEndOfComment() && !isSimpleConstExpr(where)) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "delete alway true condition not allow", x);
}
}
}
// checkConditionForMultiTenant(visitor, x.getWhere(), x);
}
Also used :
MySqlDeleteStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)
WallConfig(com.alibaba.druid.wall.WallConfig)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
WallContext(com.alibaba.druid.wall.WallContext)
Example 43 with SQLExpr
use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.
the class WallVisitorUtils method checkJoinConditionForMultiTenant.
@Deprecated
public static void checkJoinConditionForMultiTenant(WallVisitor visitor, SQLJoinTableSource join, boolean checkLeft, StatementType statementType) {
String tenantTablePattern = visitor.getConfig().getTenantTablePattern();
if (tenantTablePattern == null || tenantTablePattern.length() == 0) {
return;
}
SQLExpr condition = join.getCondition();
SQLTableSource right = join.getRight();
if (right instanceof SQLExprTableSource) {
SQLExpr tableExpr = ((SQLExprTableSource) right).getExpr();
if (tableExpr instanceof SQLIdentifierExpr) {
String tableName = ((SQLIdentifierExpr) tableExpr).getName();
if (ServletPathMatcher.getInstance().matches(tenantTablePattern, tableName)) {
String alias = right.getAlias();
if (alias == null) {
alias = tableName;
}
SQLBinaryOpExpr tenantCondition = createTenantCondition(visitor, alias, statementType, tableName);
if (condition == null) {
condition = tenantCondition;
} else {
condition = new SQLBinaryOpExpr(tenantCondition, SQLBinaryOperator.BooleanAnd, condition);
}
}
}
}
if (condition != join.getCondition()) {
join.setCondition(condition);
visitor.setSqlModified(true);
}
}
Also used :
SQLIdentifierExpr(com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr)
SQLBinaryOpExpr(com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
Example 44 with SQLExpr
use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.
the class WallVisitorUtils method check.
public static void check(WallVisitor visitor, SQLSelectItem x) {
SQLExpr expr = x.getExpr();
if (expr instanceof SQLVariantRefExpr) {
if (!isTopSelectItem(expr) && "@".equals(((SQLVariantRefExpr) expr).getName())) {
addViolation(visitor, ErrorCode.EVIL_NAME, "@ not allow", x);
}
}
if (visitor.getConfig().isSelectAllColumnAllow()) {
return;
}
if (//
expr instanceof SQLAllColumnExpr && x.getParent() instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) x.getParent();
SQLTableSource from = queryBlock.getFrom();
if (from instanceof SQLExprTableSource) {
addViolation(visitor, ErrorCode.SELECT_NOT_ALLOW, "'SELECT *' not allow", x);
}
}
}
Also used :
SQLAllColumnExpr(com.alibaba.druid.sql.ast.expr.SQLAllColumnExpr)
SQLVariantRefExpr(com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
Example 45 with SQLExpr
use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.
the class WallVisitorUtils method partExpr.
public static List<SQLExpr> partExpr(List<SQLExpr> exprs) {
List<SQLExpr> partList = new ArrayList<SQLExpr>();
for (SQLExpr x : exprs) {
if (x instanceof SQLBinaryOpExpr) {
SQLBinaryOpExpr binary = (SQLBinaryOpExpr) x;
if (binary.getOperator() == SQLBinaryOperator.BooleanAnd || binary.getOperator() == SQLBinaryOperator.BooleanOr) {
partList.add(((SQLBinaryOpExpr) x).getLeft());
partList.add(((SQLBinaryOpExpr) x).getRight());
continue;
}
}
partList.add(x);
}
return partList;
}
Also used :
ArrayList(java.util.ArrayList)
SQLBinaryOpExpr(com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
Aggregations
SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)422
SQLBinaryOpExpr (com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr)71
SQLIdentifierExpr (com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr)68
SQLName (com.alibaba.druid.sql.ast.SQLName)47
SQLIntegerExpr (com.alibaba.druid.sql.ast.expr.SQLIntegerExpr)33
SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)32
SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)30
ArrayList (java.util.ArrayList)30
MySqlSelectQueryBlock (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlSelectQueryBlock)28
SQLMethodInvokeExpr (com.alibaba.druid.sql.ast.expr.SQLMethodInvokeExpr)25
SQLSelectItem (com.alibaba.druid.sql.ast.statement.SQLSelectItem)25
ParserException (com.alibaba.druid.sql.parser.ParserException)25
SQLObject (com.alibaba.druid.sql.ast.SQLObject)24
MySqlStatementParser (com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser)23
SQLAggregateExpr (com.alibaba.druid.sql.ast.expr.SQLAggregateExpr)20
SQLOrderBy (com.alibaba.druid.sql.ast.SQLOrderBy)17
SQLSelectQuery (com.alibaba.druid.sql.ast.statement.SQLSelectQuery)16
SQLCharExpr (com.alibaba.druid.sql.ast.expr.SQLCharExpr)15
SQLVariantRefExpr (com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)15
SQLSelectQueryBlock (com.alibaba.druid.sql.ast.statement.SQLSelectQueryBlock)15
